Kaniko: Kaniko-Built Image Cannot Be Pulled from Repo Due To Symlink Error

downgrading to debug-v0.16.0 fixed my issue (symlinking to /proc/self/fd/1 and 2). let me know if it would help for me to try later versions. i first had trouble with whatever 'debug' was pointed at two days ago.

@cvgw Based on Simeon's comment, we will downgrade to the debug version of v0.16.0 until latest is fixed.

I suspect this may be related to the issue in #1039

@vguaglione would you mind giving tag 1039-fix-test or debug-1039-fix-test a try? I think that might resolve the issue, but I'd appreciate if you could give it a try. Thanks!

I did some testing and it doesn't look like 1039-fix-test fixes this issue. I do believe that the issues are related.

My theory is that https://github.com/GoogleContainerTools/kaniko/blob/8d9e6b8ea54274f73517f11c113c13cd03d26349/pkg/snapshot/snapshot.go#L183

Causes the resolved link to also be added to the layer (i.e. adding /usr/lib/.build-id/c0/b98a... and /lib64/libBrokenLocale.so.1). In this case /lib64/libBrokenLocale.so.1 is not itself a link, but instead it's parent directory /lib64 is a link to /usr/lib64.

My belief is that this causes the links (i.e. /lib64/libBrokenLocale.so.1) to be directly added to the tar which breaks the existing link /lib64 => /usr/lib64.

Removing the code at https://github.com/GoogleContainerTools/kaniko/blob/8d9e6b8ea54274f73517f11c113c13cd03d26349/pkg/snapshot/snapshot.go#L183 appears to fix the issues, which would be inline with the proposed theory as only the resolved path and not the link path would be added.

If this is indeed the cause, I think the fix would be to check whether a given path itself is a link or if one of it's ancestors is actually the link.

I did some quick checking and on linux trying to create a link for a file whose ancestor is already a link causes an error which I think adds weight to the theory; in our case we are writing the links to the layer tar so the error isn't hit until the filesystem tries to resolve the layers on pull. e.g.

$ ls /usr/lib/bar
=> /usr/lib/bar/foo.txt
$ ln -s /usr/lib/bar barlink
$ ln -s /usr/lib/bar/foo.txt barlink/foo.txt
=> ERROR

@cvgw Sorry, wasn't able to get back to this over the weekend. Feel free to add @simeonberkley when you need for us to verify any changes.

@cvgw Sorry, wasn't able to get back to this over the weekend. Feel free to add @simeonberkley when you need for us to verify any changes.

No worries @vguaglione. I didn't expect you to respond over the week; I just happened to have some free time to test it myself.

@cvgw

My theory is that https://github.com/GoogleContainerTools/kaniko/blob/8d9e6b8ea54274f73517f11c113c13cd03d26349/pkg/snapshot/snapshot.go#L183
Causes the resolved link to also be added to the layer (i.e. adding /usr/lib/.build-id/c0/b98a... and /lib64/libBrokenLocale.so.1). In this case /lib64/libBrokenLocale.so.1 is not itself a link, but instead it's parent directory /lib64 is a link to /usr/lib64.
My belief is that this causes the links (i.e. /lib64/libBrokenLocale.so.1) to be directly added to the tar which breaks the existing link /lib64 => /usr/lib64.

Removing fileWithSymlinks might break #915 i.e. copying symlinks across multistage docker.

1. We need to add only copy the target files to tar
2. We need to save the target file to /kaniko/{stg_idx} for later use.

e.g. in case where

From busybox as foo
Run echo "hello" > /tmp/target.txt
RUN ln -s /tmp/target /tmp/link --- layer B

Copy --from=foo /tmp/link /tmp/copied

We should only add /tmp/link to the layer B.
We should save /tmp/link with contents of "hello" to /kaniko/0/tmp/link

Is my understanding correct?
I think in #971, we saved both /tmp/link and /tmp/target to /kaniko/0 and also added them to layer B

We've committed a change which I believe will fix this. If anyone feels like testing tags a1af057f997316bfb1c4d2d82719d78481a02a79 and debug-a1af057f997316bfb1c4d2d82719d78481a02a79 have the new code

@cvgw Ok, I went ahead and tested this and it appears to fix the issue. @simeonberkley Can you also run your tests with this updated image and let Cole know if those tests are successful?

@vguaglione, I was having the same error with kaniko:debug
ERROR: Job failed: image pull failed: rpc error: code = Unknown desc = Error committing the finished image: error adding layer with blob "sha256:db37edea0ded56df3b03d6f76eedd9cd1303d1f6e4920588aa28b37c94d47b8f": Error processing tar file(exit status 1): open /bin/nc.traditional: no such file or directory
I can confirm that tag debug-a1af057f997316bfb1c4d2d82719d78481a02a79 fixed the problem. What's the plan to push to the :debug tag? Is there a pull request I could follow?

@cvgw Let us know when this fix becomes available via the standard debug tag. Thanks.

@cvgw Ok, I went ahead and tested this and it appears to fix the issue. @simeonberkley Can you also run your tests with this updated image and let Cole know if those tests are successful?

I started using the '--cache' option, which isn't going so well currently. I have a couple of projects doing automated builds overnight, and they fail about half the time so far, but can be re-run after deleting the cache. This was with the 0.16.0 image. I tried out debug-a1af057f997316bfb1c4d2d82719d78481a02a79 and 0.16.0, and they both error out with:
"""
INFO[0074] Found cached layer, extracting to filesystem
error building image: error building stage: failed to execute command: extracting fs from image: removing whiteout .wh.dev: unlinkat //dev/pts/ptmx: operation not permitted
ERROR: Job failed: command terminated with exit code 1
"""

I can switch back to building without cache, which I think will solve my problem, but will make the overnight builds superfluous because they were put in place to bump the cache (ttl 24h) so that we can take advantage of the speed up while keeping things up-to-date (and running a vuln scan).

@simeonberkley @cvgw I didn't try the cache option for my tests, FYI. We have tested some of our images with caching turned on in the past, but we haven't tried it with this specific fix version.

@cvgw Ok, I went ahead and tested this and it appears to fix the issue. @simeonberkley Can you also run your tests with this updated image and let Cole know if those tests are successful?

I started using the '--cache' option, which isn't going so well currently. I have a couple of projects doing automated builds overnight, and they fail about half the time so far, but can be re-run after deleting the cache. This was with the 0.16.0 image. I tried out debug-a1af057f997316bfb1c4d2d82719d78481a02a79 and 0.16.0, and they both error out with:
"""
INFO[0074] Found cached layer, extracting to filesystem
error building image: error building stage: failed to execute command: extracting fs from image: removing whiteout .wh.dev: unlinkat //dev/pts/ptmx: operation not permitted
ERROR: Job failed: command terminated with exit code 1
"""

I can switch back to building without cache, which I think will solve my problem, but will make the overnight builds superfluous because they were put in place to bump the cache (ttl 24h) so that we can take advantage of the speed up while keeping things up-to-date (and running a vuln scan).

If you have a cache that is persisted between versions you might try clearing it.

That is to say, don't try to re-use a cache from v0.16.0 with v0.17.0

@tejal29 we might want to consider including the commit sha of kaniko in the cache key so that the cache gets invalidated with a new kaniko version.

We found the same issue. Clearing all cache between versions helped.

On Thu, Feb 27, 2020, 5:46 PM Cole Wippern notifications@github.com wrote:

@cvgw https://github.com/cvgw Ok, I went ahead and tested this and it
appears to fix the issue. @simeonberkley
https://github.com/simeonberkley Can you also run your tests with this
updated image and let Cole know if those tests are successful?

I started using the '--cache' option, which isn't going so well currently.
I have a couple of projects doing automated builds overnight, and they fail
about half the time so far, but can be re-run after deleting the cache.
This was with the 0.16.0 image. I tried out
debug-a1af057f997316bfb1c4d2d82719d78481a02a79 and 0.16.0, and they both
error out with:
"""
INFO[0074] Found cached layer, extracting to filesystem
error building image: error building stage: failed to execute command:
extracting fs from image: removing whiteout .wh.dev: unlinkat
//dev/pts/ptmx: operation not permitted
ERROR: Job failed: command terminated with exit code 1
"""

I can switch back to building without cache, which I think will solve my
problem, but will make the overnight builds superfluous because they were
put in place to bump the cache (ttl 24h) so that we can take advantage of
the speed up while keeping things up-to-date (and running a vuln scan).

If you have a cache that is persisted between versions you might try
clearing it.

That is to say, don't try to re-use a cache from v0.16.0 with v0.17.0

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/GoogleContainerTools/kaniko/issues/1038?email_source=notifications&email_token=AABBQ6N463XQMCC7Y3HGFETRFA7FPA5CNFSM4KRSOIYKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENGIGYA#issuecomment-592216928,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AABBQ6LUJRL3WTUJ6JCN2G3RFA7FPANCNFSM4KRSOIYA
.

@simeonberkley @cvgw I successfully tested debug-a1af057f997316bfb1c4d2d82719d78481a02a79 with caching turned on with the sample dockerfile provided here in this thread. @tejal29 Yes, cache invalidation would be a nice feature here otherwise there will likely be some confusion within our user base. Thank you both for helping with this issue.

Thank you everyone for reporting your findings and helping to test. I'm gonna close this one, but feel free to reopen if needed.